 CyberheistNews Vol 6 #15 |
| [FBI ALERT] Dramatic Increase In Email CEO Fraud To 2.3 Billion. |
.jpg)
A brand new Alert by the FBI on April 4th warned of a major increase in BEC (CEO Fraud), amounting to a whopping 2.3 billion dollars in losses. This is very relevant information if you are discussing IT security budget.
FBI officials are warning potential victims of a dramatic rise in the business email compromise scam or “BEC,” a scheme that targets businesses and has resulted in massive financial losses. KnowBe4 has been warning against this kind of threat for a while now, and our platform is able to simulate CEO fraud phishing attacks to inoculate your employees against this type of attack.
Here is what the FBI said:
"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.
"There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.
- Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries
- From October 2013 through February 2016, law enforcement received reports from 17,642 victims
- This amounted to more than 2.3 billion dollars in losses
- Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss
- In Arizona the average loss per scam is between 25,000 dollars and 75,000 dollars"
If your company has been victimized by a BEC scam:
- Contact your financial institution immediately
- Request that they contact the financial institution where the fraudulent transfer was sent
- File a complaint—regardless of dollar loss—with the IC3
Link:
https://www.ic3.gov/complaint/default.aspx
FBI Tips for Businesses:
- Be wary of email-only wire transfer requests and requests involving urgency
- Pick up the phone and verify legitimate business partners
- Be cautious of mimicked email addresses
- Practice multi-level authentication"
Two Important KnowBe4 Tips:
- Send high-risk users a spoofed CEO email as an effective security awareness training exercise
- Check your email server configuration right away. Do a Domain Spoof Test (no cost) and find out if your email server is configured to block spoofing, most are not! Here is the link:
https://info.knowbe4.com/domain-spoof-test
|
| How Mattel Lost 3 Million In CEO Fraud Phishing |
|
Great story by Erika Kinetz at the Associated Press. How Mattel was the victim of CEO Fraud using phishing and social engineering to trick one of their executives in China to make a 3 Million dollars wire transfer.
She started the story with: "The email seemed unremarkable: a routine request by Mattel Inc.'s chief executive for a new vendor payment to China.
"It was well-timed, arriving on Thursday, April 30, during a tumultuous period for the Los-Angeles based maker of Barbie dolls. Barbie was bombing, particularly overseas, and the CEO, Christopher Sinclair, had officially taken over only that month. Mattel had fired his predecessor.
"The finance executive who got the note was naturally eager to please her new boss. She double-checked protocol. Fund transfers required approval from two high-ranking managers. She qualified and so did the CEO, according to a person familiar with the investigation who spoke on condition of anonymity because he was not authorized to speak about the matter. He declined to reveal the finance executive's name.
Satisfied, the executive wired over 3 million dollars to the Bank of Wenzhou, in China."
Read more about how it ended, with links to the AP story here:
https://blog.knowbe4.com/how-mattel-lost-3m-in-ceo-fraud-phishing
|
| The Ransomware That Knows Where You Live |
|
It's happening in the UK today, and you can see it America tomorrow. The bad guys in Eastern Europe are often using the U.K. as their beta test area, and when a scam has been debugged, they go wide in the U.S.
So here is what's happening: victims get a phishing email that claims they owe a lot of money, and it has their correct street address in the email.
The phishing emails tell recipients that they owe money to British businesses and charities when they do not.The story appeared first on the BBC website, and spread from there. More detail at the KnowBe4 Blog, and if you want to have a good chuckle, read the full story at the BBC, scroll down to the end and watch the video that they produced to explain what ransomware is:
https://blog.knowbe4.com/the-ransomware-that-knows-where-you-live
And some good news, Petya ransomware's hard disk boot record encryption has been defeated and a password generator has been released. More at:
https://blog.knowbe4.com/more-about-petya-hard-disk-lock-bsod-ransomware
|
| Exciting New Features In KnowBe4 Spring 2016 Release |
|
Employees are the weakest link in your network security and you need effective security awareness training to keep on top of furiously innovating cybercrime.
The new features we are announcing were previously out of reach for IT managers with limited budget, and we have worked hard to make effective training and frequent simulated phishing affordable for these organizations.
The new Spring 2016 advanced features include:
EZXploit™: Patent-pending functionality that allows an internal, fully automated "human pentest". By launching a simulated phishing attack, which when clicked comes up with a secondary ruse like a Java popup that the user is further social engineered to click on. No malicious action is performed but the process allows IT to see which data is accessible and users most prone to click by scanning info such as user name, IP address, a user's workstation and Active Directory info.
KnowBe4’s Chief Hacking Officer Kevin Mitnick stated "EZXploit truly assesses whether your business can be exploited by the bad guys. Just clicking on a link sent in email alone doesn't mean your business can be successfully phished. The true test is to determine whether the user can be exploited. EZXploit allows you to evaluate that risk."
USB Drive Test™: A customer can download a special, "beaconized" Microsoft Office file from the KnowBe4 admin console onto a USB drive which can then be dropped at an on-site, high traffic area. If an employee picks up the USB drive, plugs it in their workstation, and opens the file, it will "call home" and report the fail. Should a user also enable the macros in the file, then additional data is also tracked and made available in the admin console.
A recent study sponsored by University of Illinois, University of Michigan and Google, found 98% picked up dropped USBs and 45% opened or enabled files, confirming this as an effective attack vector for social engineering.
GEO-location was added by KnowBe4 to its phishing templates, allowing an admin to see where simulated phishing attack failures are on a map, with drilldown capability and CSV-export options. This is highly useful for multi-site offices and road warriors alike.
The strong demand for KnowBe4’s training has propelled it into the Top Cybersecurity 500 and fueled unparalleled growth for 11 straight quarters. More about this here:
http://cybersecurityventures.com/cybersecurity-500/#home/?view_1_page=3
Request a demo and see for yourself how easy it is to train and phish your users:
https://info.knowbe4.com/kmsat-request-a-demo
|
| Don't Miss Your April Live Demo: New-school Security Awareness Training |
|
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Tomorrow, April 13 at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:
- Send Phishing Security Tests to your users and get your Phish-prone percentage.
- Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
- Point-of-failure training auto-enrollment.
- NEW Phish Alert Button for Outlook so employees can report phishing attacks.
- NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/6306710009986246916
|
Warm Regards,
Stu Sjouwerman |
|
|
|
